A Fast Security Scan for developers.

Scan Node.js projects for supply-chain attack indicators, clean node_modules safely, and flag outdated dependencies. One POSIX shell script. Zero dependencies. macOS & Debian.

git clone https://github.com/coodyapp/fss && fss/apps/cli/bin/fss scan .
fss scan ~/projects/api
1/7  Lifecycle scripts (install-time execution)
    suspicious lifecycle script: node_modules/evil-pkg/package.json
2/7  Known malicious files (IOC name match)
    known payload file name: node_modules/evil-pkg/bun_environment.js
3/7  Malicious code signatures
    no malicious code signatures
4/7  Credential exposure
    .env file tracked in git: .env
5/7  Registry config + lockfile integrity
    registry config and lockfiles look sane
6/7  Unexpected binaries in node_modules
    no unexpected binaries
7/7  Host persistence artefacts
    no persistence artefacts

Summary
  2 critical, 1 warning(s) — investigate before installing or running anything.

fss scan

Seven check groups built from real 2025–2026 npm incidents: malicious lifecycle scripts, known payload file names, obfuscated-eval signatures, committed credentials, poisoned registries and lockfiles, rogue binaries, and host persistence artefacts.

exit 0 clean · 1 warnings · 2 critical

fss clean

Finds every node_modules directory, shows sizes and the total you'll reclaim, and deletes only after confirmation. Never follows symlinks, never touches anything not literally named node_modules. --dry-run to preview.

safe by construction

fss outdated

Compares installed versions against the npm registry and highlights major-version drift. Works with curl or wget, degrades gracefully offline, and exits non-zero when dependencies lag — ready for CI gates.

exit 0 current · 1 outdated

Why a shell script?